Cyber Incident Victim: TeamViewer GmbH
Date:
Apr 2019
Location:
Germany
Summary
A major international cyber espionage campaign employing Winnti malware targeted numerous corporations, including German software firm TeamViewer GmbH alongside other prominent entities across Germany, Switzerland, the United States, Japan, and Indonesia. The Chinese-linked Winnti group infiltrated networks primarily through phishing emails directed at human resources personnel, masquerading as job applicants to deliver malicious links. Once inside, attackers conducted prolonged, stealthy operations to map networks and inject malicious code into widely used programs, enabling remote access and sustained data exfiltration. The group demonstrated poor operational security but exhibited patterns aligning with state-sponsored activity, focusing on intellectual property theft from high-value industrial and technology sectors. Infections were discovered after prolonged undetected presence, with multiple companies confirming compromises.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2019, German software company TeamViewer GmbH was identified as one of multiple major international firms compromised by the Winnti malware, linked to a Chinese state-aligned hacking group active since 2009. The incident formed part of a broader campaign targeting at least a dozen corporations across Germany, Switzerland, the United States, Japan, and Indonesia, with German companies disproportionately affected. Initial infections occurred via phishing emails targeting human resources departments and recruiters, where attackers posed as job applicants sending malicious links. Upon employee interaction, the malware established remote access, enabling attackers to conduct reconnaissance and deploy additional payloads. TeamViewer’s compromise was disclosed alongside other German industrial leaders—including BASF, Siemens, Henkel, Covestro, and Bayer—following a joint investigation by German media outlets BR and NDR, which uncovered forensic evidence of Winnti infections. Bayer had first detected the malware in early 2018 and prevented data exfiltration while tracing its origins to China, but numerous other firms, including TeamViewer, were breached before defensive measures could be widely implemented. The attackers operated with a "low and slow" methodology, silently mapping networks and injecting malicious code into commonly used applications to maintain persistence.
The Winnti group’s campaign impacted both Windows and Linux systems, with the Linux variant first observed in 2015. While TeamViewer’s specific data losses were not disclosed, the malware’s design facilitated prolonged exfiltration of sensitive corporate information. The scale of infections led an unnamed German official to describe case numbers as "mind-boggling," with an IT security expert noting that nearly all DAX-listed corporations had likely been targeted. Attackers exhibited "poor operational security," often neglecting to conceal their activities post-exfiltration—a behavior analysts associated with state-backed groups. No containment or remediation actions by TeamViewer were detailed in reports, though Bayer’s early detection and analysis provided partial visibility into the threat. The incident underscored systemic vulnerabilities in German corporate cybersecurity, attributed to cultural resistance to modernization despite GDPR regulations. Other affected entities included Marriott, Valve, Roche, Sumitomo, Shin-Etsu, and Lion Air, spanning pharmaceuticals, manufacturing, hospitality, and aviation sectors.